Frequently Asked Questions about BIND 9 Q: Why doesn't -u work on Linux 2.2.x? A: Linux threads do not fully implement the Posix threads (pthreads) standard. In particular, setuid() operates only on the current thread, not the full process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on all other supported platforms. setuid() cannot be called before creating threads, since the server does not start listening on reserved ports until after threads have started. In the 2.3.99-pre3 and newer kernels, the ability to preserve capabilities across a setuid() call is present. This allows BIND 9 to call setuid() early, while retaining the ability to bind reserved ports. This is a Linux-specific hack. On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of a security risk than a root process that has not dropped privileges. If Linux threads ever work correctly, this restriction will go away. Configuring BIND9 with the --disable-threads option causes a non-threaded version to be built, which will allow -u to be used. Q: Why does named log the error message "no TTL specified" and refuse to load my zone file? A: Your zone file must either have a line like $TTL 86400 at the beginning, or the first record in it must have a TTL field, like the "84600" in this example: example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) BIND 8 incorrectly accepted files that had neither. Q: Why do I see 5 (or more) copies of named on Linux? A: Linux threads each show up as a process under ps. The approximate number of threads running is n+4, where n is the number of CPUs. Note that the amount of memory used is not cumulative; if each process is using 10M of memory, only a total of 10M is used. Q: Why does BIND 9 log "permission denied" errors accessing its configuration files or zones on my Linux system even though it is running as root? A: On Linux, BIND 9 drops most of its root privileges on startup. This including the privilege to open files owned by other users. Therefore, if the server is running as root, the configuration files and zone files should also be owned by root. Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: ran out of space" A: This is often caused by TXT records with missing close quotes. Check that all TXT records containing quoted strings have both open and close quotes. Q: How do I produce a usable core file on Linux? A: Apply the kernel patch found in bind9/linux/coredump-patch and rebuild the kernel. This patch causes multithreaded programs to dump the correct thread. Q: How do I restrict people from looking up the server version? A: Put a "version" option containing something other than the real version in the "options" section of named.conf. Note doing this will not prevent attacks and may impede people trying to diagnose problems with your server. Also it is possible to "fingerprint" nameservers to determine their version. Q: How do I restrict only remote users from looking up the server version? A: The following view statement will intercept lookups as the internal view that holds the version information will be matched last. The caveats of the previous answer still apply, of course. view "chaos" chaos { match-clients { ; }; allow-query { none; }; zone "." { type hint; file "/dev/null"; // or any empty file }; }; Q: What do "no source of entropy found" or "could not open entropy source foo" mean? A: The server requires a source of entropy to perform certain operations, mostly DNSSEC related. These messages indicate that you have no source of entropy. On systems with /dev/random or an equivalent, it is used by default. A source of entropy can also be defined using the random-device option in named.conf. Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed under /usr. Check that the correct named is running. Q: I'm trying to install on AIX and compilation is failing with errors like "confparser.c", line 8244.1: 1506-343 (S) Redeclaration of token_to_keyword differs from previous declaration on line 348 of "confparser.c". A: You probably have a buggy version of GNU bison installed on your system. Remove bison it from your path, remove the config.cache file, and rerun configure so that it picks up the AIX yacc instead. Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm sure I have the keys set up correctly, but the server is rejecting the TSIG. Why? A: This may be a clock skew problem. Check that the the clocks on the client and server are properly synchronized (e.g., using ntp). Q: I'm trying to compile BIND 9, and "make" is failing due to files not being found. Why? A: Using a parallel or distributed "make" to build BIND 9 is not supported, and doesn't work. If you are using one of these, use normal make or gmake instead. Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's wrong? A: This error message is caused by a known bug in BIND 8.2.3 and will be fixed in 8.2.4. It can be safely ignored - the notify has been acted on by the slave despite the error message.